Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ApiTokenAuthentication fails to check "aud" claim's value with drf-oidc-auth versions >= 1.0.0 #68

Open
akikoskinen opened this issue Aug 3, 2021 · 1 comment
Open

ApiTokenAuthentication fails to check "aud" claim's value with drf-oidc-auth versions >= 1.0.0 #68

akikoskinen opened this issue Aug 3, 2021 · 1 comment
Labels
bug

Comments

@akikoskinen
Copy link
Contributor

When using the ApiTokenAuthentication class, drf-oidc-auth is required as a dependency. Actually ApiTokenAuthentication is tightly coupled with drf-oidc-auth as it extends drf-oidc-auth's JSONWebTokenAuthentication. Django-helusers doesn't restrict the used version of drf-oidc-auth in any way.

For this to work Django-helusers should configure drf-oidc-auth correctly. There is now a problem with how accepted audience values are configured in different versions of drf-oidc-auth.

ApiTokenAuthentication overrides the get_audiences method and this works for drf-oidc-auth versions < 1. In version 1.0.0 drf-oidc-auth changed the way how accepted audiences are configured. This is mentioned in the release notes.

Currently ApiTokenAuthentication accepts any "aud" claim value with drf-oidc-auth versions >= 1.0.0.
@akikoskinen akikoskinen added the bug label Aug 3, 2021
@akikoskinen
Copy link
Contributor Author

One option would be to reimplement ApiTokenAuthentication using RequestJWTAuthentication and completely without drf-oidc-auth. Perhaps something like this (completely untested):

from rest_framework.authentication import BaseAuthentication
from rest_framework.exceptions import AuthenticationFailed

class ApiTokenAuthentication(BaseAuthentication):
    def authenticate(self, request):
        auther = RequestJWTAuthentication()
        
        try:
            result = auther.authenticate(request)
            if result is not None:
                return (result.user, result.data)
            else:
                return None
        except AuthenticationError as e:
            raise AuthenticationFailed from e

@hughman77 hughman77 mentioned this issue Dec 12, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@akikoskinen